The threat actor known as Rare Werewolf (formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries.
“A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,” Kaspersky said. “The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts.”
The intent of the attacks is to establish remote access to compromised hosts, and siphon credentials, and deploy the XMRig cryptocurrency miner. The activity impacted hundreds of Russian users spanning industrial enterprises and engineering schools, with a smaller number of infections also recorded in Belarus and Kazakhstan.
Rare Werewolf, also known by the names Librarian Ghouls and Rezet, is the moniker assigned to an advanced persistent threat (APT) group that has a track record of striking organizations in Russia and Ukraine. It’s believed to be active at least since 2019.
According to BI.ZONE, the threat actor obtains initial access using phishing emails, leveraging the foothold to steal documents, Telegram messenger data, and drop tools like Mipko Employee Monitor, WebBrowserPassView, and Defender Control to interact with the infected system, harvest passwords, and disable antivirus software.
The latest set of attacks documented by Kaspersky reveals the use of phishing emails as a malware delivery vehicle, using password-protected archives containing executable files as a starting point to activate the infection.
Present within the archive is an installer that’s used to deploy a legitimate tool called 4t Tray Minimizer, as well as other payloads, including a decoy PDF document that mimics a payment order.
“This software can minimize running applications to the system tray, allowing attackers to obscure their presence on the compromised system,” Kaspersky said.
These intermediate payloads are then used to fetch additional files from a remote server, including Defender Control and Blat, a legitimate utility for sending stolen data to an attacker-controlled email address over SMTP. The attacks are also characterized by the use of the AnyDesk remote desktop software, and a Windows batch script to facilitate data theft and the deployment of the miner.
A salient aspect of the batch script is that it launches a PowerShell script that incorporates capabilities for automatically waking up the victim system at 1 a.m. local time and allowing the attackers remote access to it for a four-hour window via AnyDesk. The machine is then shut down at 5 a.m. by means of a scheduled task.
“It is a common technique to leverage third-party legitimate software for malicious purposes, which makes detecting and attributing APT activity more difficult,” Kaspersky said. “All of the malicious functionality still relies on the installer, command, and PowerShell scripts.”
The disclosure comes as Positive Technologies revealed that a financially motivated cybercrime group dubbed DarkGaboon has been targeting Russian entities using LockBit 3.0 ransomware. DarkGaboon, first discovered in January 2025, is said to be operational since May 2023.
The attacks, the company said, employ phishing emails bearing archive files containing RTF bait documents and Windows screensaver files to drop the LockBit encryptor and trojans like XWorm and Revenge RAT. The use of readily available tooling is seen as an attempt on the part of the attackers to blend in with broader cybercriminal activity and challenge attribution efforts.
“DarkGaboon is not a client of the LockBit RaaS service and acts independently, as indicated by the use of a publicly available version of the LockBit ransomware, the absence of traces of data exfiltration in the attacked companies, and the traditional threats to publish stolen information on the [data leak site] portal,” Positive Technologies researcher Victor Kazakov said.
